If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

How to make and burn an encrypted CD under Linux 2.6.x

Untar the new kernel and copy it to your /usr/src directory. Then cd to /usr/src. You will need to use either 'make gconfig' or 'make menuconfig' to configure the kernel.

In this tutorial, we will use menuconfig for our examples. Type in

#make menuconfig

You will have to go through and configure the kernel according to your system specifics. I can't do that for you as there are just too many variables. make sure you are familiar with your system specifics, and compile in support for the various components for your system. That is out of the scope of this tutorial, and we will only discuss configuration for encryption support in this paper.

The first thing we will want to do, is enable loopback device support. This option is located under

Device Drivers ---&gt; Block Devices---&gt; Loopback device support.

There are two options here. We can either compile this support directly into the kernel or compile it as a module (as will be the case for each of our options) Do whichever you feel more comfortable with. Remember that if you compile these options as modules, you will either need to edit /etc/rc.d/rc.modules to load the modules on boot or load them manually with modprobe. For loopback support, I would suggest compiling support directly into the kernel, but the choice is yours. If you want to compile loopback support directly into the kernel, then scroll down to loopback support and enter 'y'. If you want to compile it as a module, type in 'm'

Right below loopback support is the option for Cryptoloop support. I suggest compiling support for cryptoloop as a module. But again, you can you compile it directly into the kernel if you choose.

Next, we need to enable our encryption algorithms. Choose 'Exit' to revert back to the former screen and exit that screen as well to return to the original screen. scroll down to 'Cryptographic options' and press 'enter'. You will be presented with the following options

A few of these options are already selected by default. I would suggest selecting all of the remaining options and choose to compile them as modules. You may at various times need access to any one of these algorithms, but it's rather senseless to compile all of them directly into the kernel. If there is one particular algorithm that you tend to use a lot or exclusively, then you might want to consider compiling that algorithm directly into the kernel.

This is all you really need to do for what we will discuss in this tutorial. However, there is another encryption option available to us, that would probably be a good idea to add also, This option is the md-crypt option, and will be the successor to cryptoloop. There are some good tutorials available for using this function, so before we finish up, lets go ahead and enable this option as well.

Again, choose 'exit' to return to the main screen after you have selected the options mentioned above. Once you return back to the original screen, choose

Device drivers ---&gt; Multi-device support (RAID and LVM) ---&gt;

Compile support for Multi-device support (RAID and LVM) directly into the kernel, as well as the 'Device mapper' option below that. Also, compile support for Crypt target support as a module. This is the actual 'md-crypt' option. That's all we need to do there, and we will have md-crypt and device mapper support for later projects.

After you have finished selecting all the options you want to have in your new kernel, exit and save your work. Type in 'make modules' and 'make modules_install'. When this has finished, we will want to copy the new kernel into our 'boot' directory. First make a backup of your existing kernel, your config files and System.map files in the '/boot' directory. Then copy the new kernel over.

Next, type in 'lilo' to reload the new configuration and then reboot. If everything works smoothly after a reboot, then you have done a great job! We are ready to proceed. If you have problems with anything, you will have to figure out what you forgot and go back and reconfigure the kernel again, and repeat the same process. Once you have gotten everything on your system running smoothly with the new kernel, we will move on to how we will create the encrypted ISO image that we will burn to a CD.

To create the encrypted ISO, we first start by filling an emtpty ISO image with random data. Make sure that you make the image large enough to hold the contents of the documents directory you wish to encrypt.

#dd if=/dev/urandom of=crypt.iso bs=1M count=650

next, setup the loop device

#losetup -e blowfish /dev/loop1 crypt.iso

Enter your password, again being careful in what you type, as you will not have a chance to verify the password.

Next, we will run mkisofs through the loop device using the documents folder we wish to encrypt

#mkisofs -r -o /dev/loop1 /documents

create a mountpoint for the ISO image.
#mkdir /mnt/crypto

And then mount the image, verifying that you have the correct password

If all has gone well, you should see the encrypted ISO image from the CD listed in unencrypted form in the /mnt/crypto directory.

The CD will not even be mountable without the encryption passphrase. This adds even more security to your CD in addition to the fact that the documents stored on the CD are encrypted. The files stored on the CD in encrypted form will not be copyable without first being mounted, and the CD will not mount without the passphrase. This adds quite a bit of protection for your sensitive files.

But I've noticed an error in a piece of (my own) script in http://www.rootshellsecurity.com/papers/chroot.html
Where it says PARAS="$PARAMETERS $parameter" it should say PARAMETERS="$PARAMETERS $parameter"
It is indeed wrong in my old tutorial but AO won't allow me to fix it (there is a note in the thread linking to an updated version)
The fixed version of the script (and rest of the tutorial) can be found here.

It's nice how you kept my copyright in the script..
But replacing my CC licence (for the origiona tut) with a GNU one is a bit on the edge, it might be nice if you'd link to my tutorial as a source..

ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !

Hey, thanks for catching that. It's most appreciated! Although this is more of a personal matter, (I sent you a PM) since, you posted in the forum, I will also reply here.

As you can see, the page itself was written by me, using your tut as a source. But absolutely, your tut WAS the source of the outline. I would be more than happy to post a copy of your paper, replacing the one I wrote, with full credits to you of course if you would like to submit one.

As far as 'replacing your GPL license' with the GNU documentation License. That was not my intention. Your GPL for the script is on that page. The GNU documentation license was intended for the page in it's entirety.

But like I said, by all means! If you want full credit, I will absolutely give that to you. In fact, I would prefer that you submit your own version where I CAN give you full credit since your tut was the source of the paper.

If all you want is just a link to your post, I can accomodate you there as well. But consider rewriting your tutorial and submitting it. Like I said, I will replace the one I wrote, with the one you wrote, and you will have full credit!

I thought you wrote a great tut, and thought it deserved to be reposted! That was intended to be something gracious in that more people would see it, as well your credit for the script. was posted! not to STEAL it! I coulda swore I read a GPL there. Geezus man. Hey, if you think I stole it, you just let me know, I'll be happy to remove it!

The papers listed at rootshellsecurity.com were all written by myself. I haven't 'stolen' anyones 'tuts!' lol!

The one exception is the paper on chrooting, which I DID by the way write! Just because I used your tut as a source (which BTW..again...did have a GPL statement) doesnt mean I 'stole' it from you! ESPECIALLY considering I reprinted credit to you!

Why would you say I 'stole' this?

Hell, nevermind. The paper is removed.

If you think I 'STOLE' your paper, then I really apologize. Why? because I do not want to 'STEAL' anyone elses work! If you knew me peronally jinx, you would know that no harm was intended. I absolutely wanted you to have credit for your work, which I DID! Your Name and your GPL stateent! I also gave myself credit for the paper itself becasue I DID write the paper! I definately did not copy and paste your work!

I don't know why you think that I 'STOLE' your work. But if you do, then you absolutely have my apology. As I said, the paper was taken offline.

The only thing that bothered me was that I was being made to look like a thief! And that just is not my style! But the way you are handling this since I responded makes me feel a lot better! I'm sure you can understand what I'm saying!

In regards to reposting the paper, like I said..I would really prefer to have you submit your original paper. All the papers that have my name on them, were written solely from within my own head, no parts of which were reprinted from anyone elses work.

You wrote a great tutorial there! And you also have the chroot shell script you wrote. I would love to have your paper posted, but I will leave it up to you if you would like to submit your original paper. That way, it's written from the source and I can give you full credit. And I wont have any papers up that have any reprinted parts!